On 7 December 2015, the EU Council reached an informal agreement with the EU Parliament on the draft Network and Information Security (NIS) Directive.The draft Directive sets out cybersecurity obligations for operators of essential services in the healthcare, banking, energy and transport sectors, and also digital service providers (including e-commerce platforms, search engines, social networks, internet payment gateways, and cloud services). These operators will be required to take measures to manage cyber risks and report major security incidents.
“The next big financial shock will arise from a succession of cyber-attacks on financial services firms.”
This is the case according to the Chairman of the International Organisation of Securities Commission as cited by the Central Bank of Ireland’s Deputy Governor, Cyril Roux, during a recent address to the Society of Actuaries.
Last month the Department of Communications, Energy and Natural Resources published the Government’s National Cyber Security Strategy 2015-2017 (the Strategy).
In 2013 the World Economic Forum classified cyber related threats as one of the highest of all global risks from the perspective of impact and likelihood. This assessment was echoed at a national level in the Government’s 2014 National Risk Assessment. The development and proliferation of Information and Communications technology (ICT) has transformed the way in which society operates. There are few sectors of both society and the economy which do not rely on some form of ICT for their continued operation. This increased dependence has led to increased risk with threats such as hacking, cyber-crime, hacktivism, cyber espionage, software failures and even human error posing a direct threat not only to the daily lives of Irish citizens but also to the economy and the State.
Researchers at McAfee have discovered a new “ransomware-as-a-service” tool on the darknet. This tool, named "Tox", allows criminals to automatically create ransomware. Once the victim’s device is infected, the ransomware begins to encrypt their hard drive, allowing the criminal to demand a ransom in exchange for the encryption key.
Domino’s Pizza has suffered a security breach by a group of online professional hackers who accessed the online databases and servers of Domino’s Pizza customers in France and Belgium. The hackers claim to have downloaded over 600,000 customer’s records (592,000 relating to French customers and 58,000 relating to Belgian customers) which include names, addresses, phone numbers, passwords, delivery instructions and even favourite toppings.
In an unusual twist the hackers demanded a payment of €30,000 to be paid directly to them in exchange for the stolen information failing which they would publish the personal data online. The hackers posted further information and threats on a Twitter account that has since been suspended. Domino’s France released a statement on Twitter saying that although its data is encrypted, it has fallen victim to "professionals" who were able to "decode the cryptographic system for the passwords".
The Annual Report of the Irish Data Protection Commissioner has been published. It reveals a few interesting trends in both the approach of the Irish regulator and the level of activity in the data protection space in Ireland.